Tuesday, June 18, 2013

Automating and encrypting duplicity backups using cron

Background

Having suffered data loss in the past and hacking on storage suggests that
it's a good idea to have regular backups. I wanted redundancy in case my
local server failed and I wanted to encrypt my backups using a password
protected gpg key.
The current solution uses a passphrase kept in plain text outside of the
backup path. I plan to investigate moving the gpg key to a smartcard and
using a pin key to unlock it instead. If anyone has any additional solutions
please describe them in detail.

Persisting requisite environmental variables

Running anything from cron detaches it from your current environment, you lose
all of the variables describing things like your ssh-agent gpg-agent, stuff you
need to begin to communicate with the remote server.
I took a simple approach, in my ~.bashrc I created the following.

Note that I am also backing up my crontab and my list of installed software,
eventually I will move this into another script that also does things like

backup my bookmarks from chrome and firefox

backup mail in a non-binary format

The current cron format performs an incremental backup every night and a
full backup every Friday.

Driver script

This wraps the invocation of duplicity and acquires the necessary environmental
variables. Duplicity itself can be hairy with all the command line switches
and even more of a burden if you have multiple targets. I have redundant backups,
first to a local server and to a remote service provided by rsync.net (great customer
support!). I found horcrux to be a wonderful, lightweight, duplicity wrapper to suit my needs.
The driver script, which is external to my backup path, also contains my GPG passphrase
to encrypt my backups. Eventually I wish to move to a smartcard driven system illustrated here

I found it problematic to backup only sub directories of things like mozilla
and google-chrome, instead I will write an additional script to cherry pick
those files for backup.
The main horcrux config file